Analysis | #totalhash

Analysis Date	2015-10-11 17:00:27
MD5	2c172bc9d6ecaf0933a5449595d0eaf9
SHA1	b12b9612b14cea7c73728da47441584ca3bc50ce

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 34704244d9801f79c2ecc46e795d670d sha1: cc293483f9a1e2d9ae483c6b746509e2da317fa6 size: 803328
Section	.rdata md5: 297db72c3c2ba9879c1a87589ce26ab4 sha1: de0e4f237dceba72a99beee50204fea107448878 size: 329216
Section	.data md5: 989ffaf15813f0b452009d18b76050b5 sha1: 6e37b9c7143504ff18ad4076a3c60096a2e8630b size: 8192
Section	.reloc md5: 25a031915037e38b5a5e394fc45406d7 sha1: 6abb3680cb74165e4a1c95203fa6646e418cb27b size: 59392
Timestamp	2015-02-06 21:03:35
Packer	Microsoft Visual C++ ?.?
PEhash	fcf59429d46eab3beed4150db4c9aa34e98668d2
IMPhash	23a3148bc08ff289738f5a8fc4c5cc4a
AV	CA (E-Trust Ino)	no_virus
AV	F-Secure	Gen:Variant.Kazy.553443
AV	Dr. Web	no_virus
AV	ClamAV	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Kazy.553443
AV	BullGuard	Gen:Variant.Kazy.553443
AV	Padvish	no_virus
AV	VirusBlokAda (vba32)	no_virus
AV	CAT (quickheal)	no_virus
AV	Trend Micro	no_virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Zillya!	no_virus
AV	Emsisoft	Gen:Variant.Kazy.553443
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	no_virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	MalwareBytes	no_virus
AV	MicroWorld (escan)	Gen:Variant.Kazy.553443
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort!rfn
AV	K7	Trojan ( 004c77f41 )
AV	BitDefender	Gen:Variant.Kazy.553443
AV	Fortinet	W32/Kryptik.DDQD!tr
AV	Symantec	Downloader.Upatre!g15
AV	Grisoft (avg)	Win32/Cryptor
AV	Eset (nod32)	Win32/Kryptik.CXVL
AV	Alwil (avast)	Dropper-gen [Drp]
AV	Ad-Aware	Gen:Variant.Kazy.553443
AV	Rising	no_virus
AV	Twister	no_virus
AV	Avira (antivir)	TR/Agent.1201152.10
AV	Mcafee	Trojan-FGIJ!2C172BC9D6EC

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe
Creates File	C:\WINDOWS\system32\kysrkekwz\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kmgodmnl50gulv2ssp7ax.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Secure Grouping Framework IKE DCOM ➝ C:\WINDOWS\system32\ipbhfhu.exe
Creates File	C:\WINDOWS\system32\kysrkekwz\lck
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\ipbhfhu.exe
Creates File	C:\WINDOWS\system32\kysrkekwz\etc
Creates File	C:\WINDOWS\system32\kysrkekwz\tst
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\ipbhfhu.exe
Creates Service	Topology Publication Backup Copy Image - C:\WINDOWS\system32\ipbhfhu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	C:\WINDOWS\Prefetch\RUNDLL32.EXE-1BC69D2D.pf
Creates File	C:\WINDOWS\Prefetch\HCKPJWMHAKW.EXE-071894FD.pf
Creates File	C:\WINDOWS\Prefetch\IPBHFHU.EXE-3A9745BE.pf
Creates File	C:\WINDOWS\Prefetch\KMGODMNL50GULV2SSP7AX.EXE-15896EDD.pf
Creates File	C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates File	C:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates File	C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates File	C:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates File	C:\WINDOWS\Prefetch\KMGODMNUSOGULV2.EXE-2B65D5B5.pf
Creates File	C:\WINDOWS\Prefetch\B12B9612B14CEA7C73728DA474415-018A653A.pf
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File	C:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1204

Process
↳ Pid 1320

Process
↳ Pid 1864

Process
↳ Pid 532

Process
↳ C:\WINDOWS\system32\ipbhfhu.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\hckpjwmhakw.exe
Creates File	C:\WINDOWS\system32\kysrkekwz\run
Creates File	C:\WINDOWS\TEMP\kmgodmnusogulv2.exe
Creates File	C:\WINDOWS\system32\kysrkekwz\cfg
Creates File	C:\WINDOWS\system32\kysrkekwz\lck
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\kysrkekwz\rng
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\kysrkekwz\tst
Deletes File	C:\WINDOWS\TEMP\kmgodmnusogulv2.exe
Creates Process	WATCHDOGPROC "c:\windows\system32\ipbhfhu.exe"
Creates Process	C:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp

Process
↳ C:\WINDOWS\system32\ipbhfhu.exe

Creates File	C:\WINDOWS\system32\kysrkekwz\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\ipbhfhu.exe"

Creates File	C:\WINDOWS\system32\kysrkekwz\tst

Process
↳ C:\WINDOWS\TEMP\kmgodmnusogulv2.exe -r 33697 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	queentell.net Type: A 208.91.197.241
DNS	wednesdayhalf.net Type: A 208.91.197.241
DNS	mouthrest.net Type: A 208.91.197.241
DNS	drivethirteen.net Type: A 208.91.197.241
DNS	faceboat.net Type: A 208.91.197.241
DNS	muchhappy.net Type: A 208.91.197.241
DNS	callmile.net Type: A 208.91.197.241
DNS	visitlive.net Type: A 84.16.92.233
DNS	watchmine.net Type: A 74.86.188.172
DNS	fairserve.net Type: A 184.95.49.118
DNS	dreamhello.net Type: A 195.22.26.248
DNS	dreammine.net Type: A 195.22.26.248
DNS	dreamlive.net Type: A 208.48.81.134
DNS	dreamlive.net Type: A 64.15.205.100
DNS	dreamlive.net Type: A 64.15.205.101
DNS	dreamlive.net Type: A 208.48.81.133
DNS	thislive.net Type: A 208.100.26.234
DNS	dreamserve.net Type: A 46.30.212.89
DNS	southhouse.net Type: A 116.126.87.124
DNS	arivegift.net Type: A 195.22.26.252
DNS	arivegift.net Type: A 195.22.26.253
DNS	arivegift.net Type: A 195.22.26.254
DNS	arivegift.net Type: A 195.22.26.231
DNS	spothouse.net Type: A 81.169.145.88
DNS	salthouse.net Type: A 208.73.211.192
DNS	salthouse.net Type: A 208.73.211.195
DNS	salthouse.net Type: A 208.73.211.179
DNS	salthouse.net Type: A 208.73.211.183
DNS	groupgift.net Type: A 162.243.147.202
DNS	equalpeace.net Type: A 184.168.221.55
DNS	grouppeace.net Type: A 50.63.202.60
DNS	spokehouse.net Type: A 202.124.241.178
DNS	watchhouse.net Type: A 78.137.164.56
DNS	fairhouse.net Type: A 192.214.104.78
DNS	watchgift.net Type: A 184.168.221.16
DNS	dreamhouse.net Type: A 69.172.201.208
DNS	thishouse.net Type: A 207.148.248.143
DNS	dreamgift.net Type: A 98.126.32.242
DNS	ableread.net Type: A
DNS	soilunder.net Type: A
DNS	fearstate.net Type: A
DNS	visithello.net Type: A
DNS	spokemine.net Type: A
DNS	visitmine.net Type: A
DNS	spokelive.net Type: A
DNS	spokeserve.net Type: A
DNS	visitserve.net Type: A
DNS	watchhello.net Type: A
DNS	fairhello.net Type: A
DNS	fairmine.net Type: A
DNS	watchlive.net Type: A
DNS	fairlive.net Type: A
DNS	watchserve.net Type: A
DNS	thishello.net Type: A
DNS	thismine.net Type: A
DNS	thisserve.net Type: A
DNS	arivehouse.net Type: A
DNS	southgift.net Type: A
DNS	arivetuesday.net Type: A
DNS	southtuesday.net Type: A
DNS	arivepeace.net Type: A
DNS	southpeace.net Type: A
DNS	uponhouse.net Type: A
DNS	whichhouse.net Type: A
DNS	upongift.net Type: A
DNS	whichgift.net Type: A
DNS	upontuesday.net Type: A
DNS	whichtuesday.net Type: A
DNS	uponpeace.net Type: A
DNS	whichpeace.net Type: A
DNS	spotgift.net Type: A
DNS	saltgift.net Type: A
DNS	spottuesday.net Type: A
DNS	salttuesday.net Type: A
DNS	spotpeace.net Type: A
DNS	saltpeace.net Type: A
DNS	gladhouse.net Type: A
DNS	takenhouse.net Type: A
DNS	gladgift.net Type: A
DNS	takengift.net Type: A
DNS	gladtuesday.net Type: A
DNS	takentuesday.net Type: A
DNS	gladpeace.net Type: A
DNS	takenpeace.net Type: A
DNS	equalhouse.net Type: A
DNS	grouphouse.net Type: A
DNS	equalgift.net Type: A
DNS	equaltuesday.net Type: A
DNS	grouptuesday.net Type: A
DNS	visithouse.net Type: A
DNS	spokegift.net Type: A
DNS	visitgift.net Type: A
DNS	spoketuesday.net Type: A
DNS	visittuesday.net Type: A
DNS	spokepeace.net Type: A
DNS	visitpeace.net Type: A
DNS	fairgift.net Type: A
DNS	watchtuesday.net Type: A
DNS	fairtuesday.net Type: A
DNS	watchpeace.net Type: A
DNS	fairpeace.net Type: A
DNS	thisgift.net Type: A
DNS	dreamtuesday.net Type: A
DNS	thistuesday.net Type: A
HTTP GET	http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://callmile.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://visitlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://watchmine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://fairserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreamhello.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreammine.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreamlive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://thislive.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreamserve.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://southhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://arivegift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://spothouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://salthouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://groupgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://equalpeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://grouppeace.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://spokehouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://watchhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://fairhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://watchgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreamhouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://thishouse.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://dreamgift.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://queentell.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
HTTP GET	http://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=4b174c04&lenhdr User-Agent:
Flows TCP	192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 84.16.92.233:80
Flows TCP	192.168.1.1:1045 ➝ 74.86.188.172:80
Flows TCP	192.168.1.1:1046 ➝ 184.95.49.118:80
Flows TCP	192.168.1.1:1047 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1048 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1049 ➝ 208.48.81.134:80
Flows TCP	192.168.1.1:1050 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1051 ➝ 46.30.212.89:80
Flows TCP	192.168.1.1:1052 ➝ 116.126.87.124:80
Flows TCP	192.168.1.1:1053 ➝ 195.22.26.252:80
Flows TCP	192.168.1.1:1054 ➝ 81.169.145.88:80
Flows TCP	192.168.1.1:1055 ➝ 208.73.211.192:80
Flows TCP	192.168.1.1:1056 ➝ 162.243.147.202:80
Flows TCP	192.168.1.1:1057 ➝ 184.168.221.55:80
Flows TCP	192.168.1.1:1058 ➝ 50.63.202.60:80
Flows TCP	192.168.1.1:1059 ➝ 202.124.241.178:80
Flows TCP	192.168.1.1:1060 ➝ 78.137.164.56:80
Flows TCP	192.168.1.1:1061 ➝ 192.214.104.78:80
Flows TCP	192.168.1.1:1062 ➝ 184.168.221.16:80
Flows TCP	192.168.1.1:1063 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1064 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1065 ➝ 98.126.32.242:80
Flows TCP	192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1069 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1070 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1071 ➝ 208.91.197.241:80

Raw Pcap

Strings